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ABSTRACT 

How much redundancy should be built into a subsystem such as a space power subsystem? 
How does a reliability or design engineer choose between a power subsystem with .990 reliability and a 
more costly subsystem with .995 reliability? How does the engineer designing a power subsystem for a 
satellite decide between one power subsystem and a more reliable but heavier power subsystem? 

High reliability is not necessarily an end in itself. High reliability may be desirable in order to 
reduce the statistically expected loss due to a subsystem failure. However, this may not be the wisest 
use of funds since the expected loss due to subsystem failure is not the only cost involved. The 
subsystem itself may be very costly. We cannot consider either the cost of the subsystem or the 
expected loss due to subsystem failure separately. We therefore minimize the total of the two costs , i.e., 
the total of the cost of the subsystem plus the expected loss due to subsystem failure. 

We consider a specific type of redundant system, called a k-out-of-n: G subsystem. Such a 
subsystem has n modules, of which k are required to be good for the subsystem to be good. We 
discuss five models which can be applied in the design of a power subsystem to select the unique 
redundancy method which will minimize the total of the cost of the power subsystem plus the expected 
loss due to the power subsystem failure. A BASIC computer program is available. 



1. INTRODUCTION 


Although much has been written about the computation of reliability, little guidance is given to 
the reliability or design engineer who is asked to build redundancy into a subsystem. How does the 
engineer choose between a subsystem with .990 reliability and a more costly subsystem with .995 reli- 
ability? How does the engineer designing a subsystem for a rocket decide between one subsystem and 
a more reliable but heavier subsystem? 

To answer these questions the engineer needs to consider not only the cost of the subsystem 
but also the losses that would occur if the subsystem fails. These losses are weighed by the probability 
of their occurrence to yield the expected loss. 

1.1 EXPECTED VALUE 

Since much of the paper is founded upon the idea of expected value or expected loss, we'll 
review some of the fundamental uses of this concept in decision- 
making applications. Suppose that you may choose between 
actions A and B. In this example, action A always results in a 
$1000 return to you. Then A has a value of $1000 and we can 
say that the expected value of A, E(A), is $1000. Action B, on 
the other hand, results in a return to you of either $500, outcome 
B,. or $1500, outcome This return is a random variable 
which depends upon circumstances beyond your control. The 
choices which you face are outlined in the box. 

If B, and B^ are equally likely, i.e., Pr(B,) = Pr(B^) = .5 (where Pr means "probability of), then 
E(B) = $500xPr(B,) + $1 500xPr(Bi, ) = $500(.5) + $1500(.5) = $1000. If you use expected value as your 
criterion, then you would be indifferent as to choice A or B, since both have an expected value of $1000. 
Also note that, although B has an expected value of $1000, you never receive $1000. Half of the time 
you receive $500 and half of the time you receive $1500. There are circumstances where you would not 
wish to use expected value as your criterion. Suppose that you had borrowed $1000 from a loan shark 
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and needed to be sure of receiving $1000 to repay your debt. A is the obvious choice. 

Now suppose that the probabilities of B, and are .4 and .6, respectively. Then E(B) = 

$500(.4) + $1500(.6) = $1100. If you use expected value as your criterion, you would choose B over A. 
Again, in unusual circumstances, such as the need to repay $1000, you might choose A over B, even 
though A has the lower expected value. For these types of circumstances, we say that the certain return 
of $1000 has a higher expected utility to you than the expected utility associated with an expected value 
of $1100, where the return can be either $500 or $1500. 

Suppose instead that action A results in a loss of $1000 whRe action B can result in a loss of 
either $500 or $1500. We could, in a manner similar to that above, analyze actions A and B in terms of 
their expected losses. Our objective would be to minimize expected loss. 

Throughout the remainder of this paper we will use expected value or expected loss as our 
criterion . For unusual circumstances, the procedures outlined in this paper can be applied using 
expected utility rather than expected value. For a more detailed discussion of utility, see [1]. 

1.2 BALANCING TWO COSTS 

Suppose that failure of a subsystem results In a loss of, say, c, dollars, c, includes all losses 
incurred by subsystem failure (but does not include the cost of the subsystem itself). A highly reliable 
subsystem will incur this loss infrequently while a less reliable subsystem will incur this loss with greater 
frequency. Since this loss occurs only when the subsystem fans, we need to consider the expected loss 
due to subsystem failure. Additionally, the main system itself (in which the subsystem is placed) also 
may fail due to causes other than failure of the subsystem in question. Let r be the reliability of the main 
system for other than failure of the subsystem. This expected loss due to subsystem failure is given by 
E{loss due to subsystem failure} = rc, Pr{subsystem failure}. 

We can minimize this expected loss by building a subsystem with an extremely low probability of 
failure, i.e., a subsystem with extremely high reliability. This is the rational for building extremely reliable 
subsystems. High reliability is not necessarily an end in itself. High reliability may be desirable in order 
to reduce the expected loss due to subsystem failure. However, this subsystem may be very costly and 
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not the wisest use of funds since the expected loss due to subsystem failure is not the only cost in- 
volved. A less reliable subsystem would, of course, result in a higher expected loss due to subsystem 
failure but may be less costly to build. In this situation it Is not dear that we should build the most 
reliable subsystem possible since this will minimize only the expected loss due to subsystem failure but 
does not consider the cost of the building the subsystem. We cannot consider either the cost of the 
subsystem or the expected loss due to subsystem failure separately . We therefore minimize the total of 
the two costs, i.e.. the total of the cost of the subsystem plus the expected loss due to subsystem 
failure . The total quantity to be minimized is given by 
C- cost of the subsystem + E{loss due to subsystem failure}. 

In minimizing C we see that we are balancing the cost of the subsystem and the expected loss . An 
inexpensive subsystem with low reliability may result in a very high E{loss} due to subsystem failure 
while an expensive subsystem itself will be costly. 

1.3 EXAMPLE 

As an example, suppose that we have four possible subsystems under consideration. 

Subsystem A, which costs one unit (hundred of thousands of dollars) has a .1 probability of subsystem 
failure. Subsystem B, with a cost of two units, has a .05 probability of subsystem failure. Subsystem C, 
with a cost of four units, has a .025 probability of subsystem failure while subsystem D, with a cost of 
ten units, has a .01 probability of subsystem failure. The more reliable subsystems have higher costs. 
Without further information and analysis, there is no clear “best" subsystem and the choice is often 
based upon the amount budgeted for the subsystem. 

In reality the subsystem is but a component of a larger system. The best subsystem for this 
larger system will depend upon both r, the reliability of this larger system and upon c, , the loss due to 
faMure of the subsystem. We’ll consider examples of four different situations. In each situation assume 
that the reliability of the system (for other than failure of the subsystem in question) is .9, i.e. r = .9. For 
situation 1 let c, = 10. For situations 2, 3 and 4 let c, = 50, 100 and 1000 respectively. The four 
situations are listed In table 1 in order of increasing loss due to subsystem failure. 
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Table 1 


Comparison of the costs and E{loss} for four 
subsystems in each of four situations 


cost of Pr(subsystem 


situation subsystem 

subsystem 

r 

c, 

failure) 

E(loss) 

C 

1 - A 

1 

.9 

10 

.1 

.9 

1.9 

1 B 

2 

.9 

10 

.05 

.45 

2.45 

1 C 

4 

.9 

10 

.025 

.225 

4.225 

1 D 

10 

.9 

10 

.01 

.09 

10.09 


2 

A 

1 

.9 

50 

.1 

4.5 

5.5 

2 

-* B 

2 

.9 

50 

.05 

2.25 

4.25 

2 

C 

4 

.9 

50 

.025 

1.125 

5.125 

2 

D 

10 

.9 

50 

.01 

.45 

10.45 


3 

A 

1 

.9 

100 

.1 

9 

10 

3 

B 

2 

.9 

100 

.05 

4.5 

6.5 

3 

- C 

4 

.9 

100 

.025 

2.25 

6.25 

3 

D 

10 

.9 

100 

.01 

.9 

10.9 


4 

A 

1 

.9 

1000 

.1 

90 

91 

4 

B 

2 

.9 

1000 

.05 

45 

47 

4 

C 

4 

.9 

1000 

.025 

22.5 

26.5 

4 

- D 

10 

.9 

1000 

.01 

9 

19 


In situation 1 subsystem A is optimal (denoted by the -»■) since its value of C = cost of the subsys- 
tem + E{loss} = 1 + (,9)(10)(.1) = 1 + .9 = 1 .9 is lowest among the four subsystems. Although 

subsystem A has the highest E{loss} due to subsystem failure, its lower cost of building the subsystem 
results in the lowest total for C. In situation 4 subsystem D, with the highest cost of building the 
subsystem, has the lowest C because of its low E{loss}. Since c, = 1000, greater weight is given to the 
lower Pr{subsystem failure} which results in a relatively low E{loss} due to subsystem failure. In 
general, for higher values of c, , l.e., for higher losses due to failure of the subsystem, a more reliable 
subsystem is required to minimize C. Therefore, there is no best overall subsystem, but rather a best 
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subsystem for use in a particular system . 


1.4 K OUT-OF-N:G SUBSYSTEM 

In this paper we will direct our attention to a specific type of subsystem, called a k-out-of-n:G 
subsystem. Such a subsystem has n modules, erf which k are required to be good for the subsystem to 
be good. Selection of the different values of n and k results in different subsystems, each with different 
costs and reliabilities. 

As an example consider the situation where the engineer has a certain power requirement. He 
may meet this requirement by having one large power module, two smaller modules, etc. The number 
of modules required is called k. For example, the engineer may decide that k = 4. This means that 
each module is 1 /4 of the full required power. Therefore, the subsystem must have 4 or more modules 
for the full required power. The number of modules used in the subsystem is called n. For example, an 
n = 6 and k = 4 subsystem would have 6 modules each of 1/4 th power and thus would have the 
output capability of 1 .5 times the required power. The engineer is free to choose n and k and may 
choose them to minimize C. 

In the remainder of this paper we will be presenting five models, which cover different situations 
and circumstances and are generally presented in order of Increasing complexity. 

1.5 ASSUMPTIONS AND NOTATION 

ASSUMPTIONS 

In this paper we will assume perfect switching devices (if needed) of negligible cost and 
independence of the modules of the subsystem. 

NOTATION 

n number of modules in the subsystem 

k minimum number of modules which must be good for the subsystem to be good 

r reliability of the system for other than failure of the subsystem 

c, loss due to failure of the subsystem 
o, loss due to subsystem output at v c 
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Cj cost of a one module subsystem capable of full output 

q, cost of a module in a k-out-of-n:G subsystem when k is fixed 

q cost of launching a one module subsystem capable of full power 

g(k) function which relates cost of subsystem to the number of modules in the subsystem 

w(k) function which relates cost of launching the subsystem to the number of modules in the 

subsystem 

v c fraction of subsystem output necessary so that the mission is not a failure 
p probability that a module is good 

q probability that a module fails or 1 -p 

C the total of the cost of the subsystem plus the expected loss due to subsystem failure 
A failure rate of a module 

T 0 mission time 

2. MODEL 1 

Suppose that the modules are independent and all have common probability p of being good 
and common probability of failure q = 1-p. Let X count the number of good modules. Then 

*-1 / V 

Pdsubsystem failure P/ix<ld='£ i I n | p x q n ~ x 

x-0 V XJ 

and E{loss due to subsystem failure} = rq Pr{ subsystem failure} 

=/c, PtiX<ld = f ' n ) p V* 0 ) 

x-0 \ X / 

First consider a simple situation where k Is fixed. Here we are free to choose only n. Then n-k 
will be the redundancy or number of spares in the subsystem. If each module costs q, then the cost of 
subsystem = nq, . Using this with (1 ) we obtain 
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C - cost of subsystem + E{loss due to subsystem failure} 
= nq + rq Pr{ subsystem failure} = 


=nc 4 +rc i Piisubsyst0m failure^ =nc 4 + 



p x q n-x ( 2 ) 


We wish to find the n which minimizes C (Note that n-k is the number of spares which will minimize C). 

As an example, consider the situation where k = 1, i.e. only one module is required to be 
operational for the subsystem to be operational. Suppose that the reliability of this single module is .95, 
i.e., p = .95. Let the reliability of the system other than for failure of the subsystem be .9, i.e. r = .9. 
Suppose that the cost of one module is 1, i.e., q = 1. Well again consider the four situations with q = 
10, 50, 100 and 1000 and present the results in table 2. 

Table 2 


An example of model 1 (with k fixed at 1) 
with q = 1 and p = .95. 



cost of 
subsystem 

r 

c, 

Pr(subsystem 

failure) 

E(loss) 

C 

-► n = 1 

1 

.9 

10 

.05 

.45 

1.45 

n = 2 

2 

.9 

10 

.0025 

.0225 

2.0225 

n = 3 

3 

.9 

10 

.000125 

.001125 

3.001125 


n = 1 

i 

.9 

50 

.05 

2.25 

3.25 

n = 2 

2 

.9 

50 

.0025 

.1125 

2.1125 

n = 3 

3 

.9 

50 

.000125 

.005625 

3.005625 


n = 1 

1 

.9 

100 

.05 

4.5 

5.5 

-+ n = 2 

2 

.9 

100 

.0025 

.225 

2.225 

n = 3 

3 

.9 

100 

.000125 

.01125 

3.01125 


n = 1 

i 

.9 

1000 

.05 

45 

46 

n = 2 

2 

.9 

1000 

.0025 

2.25 

4.25 

n = 3 

3 

.9 

1000 

.000125 

.1125 

3.1125 
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With c, = 10 the subsystem with the lowest C is the n = 1 subsystem, a subsystem with no spares. 
This subsystem has a reliability of 1 - Pr{ subsystem failure} = 1 - .05 = .95. With c, = 50 the n = 2 
subsystem, with one spare and a subsystem reliability of .9975, becomes the best. Here the increase in 
c, from 10 to 50 favors subsystems with higher reliability. At c, = 1000, the best subsystem, with C = 
3.1125, has n = 3, a subsystem with two spares (Note that a subsystem with n = 4 could not be best in 
this situation since the cost of building this subsystem is four and therefore C will exceed four). 
Obviously, the greater the loss due to subsystem failure, the greater the number of spares required to 
minimize C. This same principle holds for subsystems with k of 2 or more. 

3. MODEL 2 

Suppose in model 1 that we are also free to choose k in our subsystem. Let Cj be the cost of a 
subsystem of one module. Further suppose that the cost of a subsystem with exactly k modules is C3 
g(k). Here g(k) is the factor which measures the (generally) increased cost of building a subsystem 
consisting of k smaller modules rather than one large module. If g(k) = 1 for all k, then a subsystem of 
k modules costs the same as a subsystem consisting of a single module. Any g(k) may be used. For 
example, if a subsystem of 2 smaller modules costs 4 times as much as a single module subsystem then 
g(2) = 4. Therefore this subsystem would cost Cj g(k) = Cj g(k) = 4Cj. If a subsystem of 3 smaller 
modules costs 7 times as much as a single module subsystem then g(3) = 7. Other values for g(k) may 
be defined in a similar manner. Therefore g(1) = 1, g(2) = 4. g(3) = 7, etc. We also assume that each 
module in the subsystem costs Cjg(k)/k, which is 1/k th of the total cost for k modules. Since we have 
a total of n modules in the subsystem, then the cost of the subsystem = nc,g(k)/k. Using this with (1) 
we obtain 

C = cost of subsystem + E{loss due to subsystem failure} 

=nc 3 sMlk+rCi'E i ( n ) p V* ( 3 ) 

jf-0 v x) 

For any particular situation with given values of c, , c,, r, p and g(k) we select the n and k to 
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minimize C in (3). The n and k thus selected will be the optimal subsystem. A BASIC program can be 
used to search for the n and the k. See section 8 of this paper for more information. 

Consider the example of a space electrical power subsystem. A rough rule of thumb says that the 
cost of smaller modules for a space electrical power subsystem is proportional to the electrical power 
raised to the .7. Thus, for this example g(k) = k(1/ky 7 . Therefore, a subsystem consisting of a single 
module capable of full power would cost c^g(1) = Cj 1 (1 /I )r 7 = 1.0c,, a subsystem consisting of 2 
modules, each of 1/2 power, would cost c,g(2) = c,2(l/2) 7 = 1.23c, to build, etc. An n = 3 and k = 2 
subsystem, i.e., one having 3 modules each of 1/2 power, would cost nc, g(k)/k = 3x1 .23c, /2 = 1.85c, 
to build. 

Suppose that the loss due to subsystem failure, c, , is 1000 (hundreds of thousands of dollars). Let 
the reliability of the system for other than failure of the subsystem be .99, i.e. r = .99. Suppose that the 
cost of building a single module capable of full power is 2 (hundreds of thousands of dollars), i.e. c, = 
2. Suppose each module has a reliability of .95. For illustration in table 3 we’ll compute the 
components of equation (3) along with the reliability of the subsystem for various values of n and k 
(where k Is the number of modules required for full power). 
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Table 3 


An example of model 2, for various 
subsystems for r =.99, c, = 1000, Cj = 2 and p = .95 


Cost of Reliability 

n k Subsystem E{loss} C of Subsystem 


1 

1 

2 

49.5 

51.5 

.95 

2 

1 

4 

2.475 

6.475 

.9975 

2 

2 

2.462 

96.525 

98.9873 

.9025 


3 

1 

6 

.1238 

6.1238 

.999875 

3 

2 

3.6934 

7.1775 

10.8709 

.99275 

3 

3 

2.7808 

141.1988 143.9796 

.857375 


4 

1 

8 

.0062 

8.0062 

.9999937 

- 4 

2 

4.9246 

.4764 

5.4010 

.9995188 

4 

3 

3.7077 

13.8786 

17.5863 

.9859812 

4 

4 

3.0314 

183.6389 186.6703 

.8145062 


5 

1 

10 

.0003 

10.0003 

.9999997 

5 

2 

6.1557 

.0297 

6.1854 

.99997 

5 

3 

4.6346 

1.1465 

5.7812 

.99884 

5 

4 

3.7893 

22.3666 

26.1559 

.97741 

5 

5 

3.2413 

223.9569 227.1982 

.77378 


6 

1 

12 

.00002 12.00002 

.999999+ 

6 

2 

7.3869 

.0018 

7.3887 

.9999982 

6 

3 

5.5616 

.0086 

5.6471 

.9999136 

6 

4 

4.5471 

2.2075 

6.7547 

.9977701 

6 

5 

3.8896 

32.4461 

36.3357 

.9672261 

6 

6 

3.4235 

262.2591 

265.6826 

.7350918 


A look at table 3 shows that the simple one module power subsystem (n = 1 and k = 1 ) has the 
lowest cost, 2, of building the subsystem. However, the high expected loss due to subsystem failure 
results In a high overall value for C of 51.5. The subsystem of n = 2 and k = 1 consists of two modules, 
only one of which is required for full power. Although this subsystem is more expensive to build than 
the n = 1 and k = 1 subsystem, its higher subsystem reliability results in a lower E{loss} due to 
subsystem failure and a lower total C. The n = 2 and k = 2 subsystem has a lower reliability (.9025) 
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because this subsystem requires that both modules be operational for full power. This lower reliability 
results In a higher E{loss} and therefore a higher C. A look over the entire table shows that the 
minimum value of C occurs at n = 4 and k = 2 with a subsystem reliability of .99952. This subsystem 
consists of four modules, of which two are required for full power. One can also see from table 3 that 
there are a number of near optimal subsystems (n = 4 and k = 2, n = 5 and k = 3, n = 6 and k = 3) 
all of which have approximately the same values for C. Choices among these may also be made based 
upon other criteria. The n and k which minimize C are given for various values of Cj and p in table 4. 

Table 4 


Optimum n and k (for model 2) for r = .99 
and c, = 1000 which yield minimum C 


C3 

p = .80 

p = .90 

p = .95 

p =.99 

p = .999 

n,k 

16,7 

10,5 

7,4 

2,1 

3,2 

1 Cost of Subsystem 

4.10 

3.24 

2.65 

2.00 

1.85 

Rel. of Subsystem 

.99975 

.99985 

.99981 

.9990 

.99999 

C 

4.34 

3.39 

2.84 

2.09 

1.85 


n,k 

2 Cost of Subsystem 
Rel. of Subsystem 
C 

12,5 

7.78 

.99942 

8.35 

8,4 

6.06 

.99957 

6.49 

4,2 

4.92 

.99952 

5.40 

3.2 

3.69 

.99971 

3.99 

1.1 

2.00 

.99900 

2.99 

n.k 

8,3 

6,3 

2.1 

3,2 

1.1 

5 Cost of Subsystem 

18.54 

13.90 

10.00 

9.23 

5.00 

Rel. of Subsystem 

.99877 

.99873 

.99750 

.99970 

.99900 

C 

19.76 

15.16 

12.48 

9.53 

5.99 


The values for n = 4 and k = 2 are the same as those given in table 3 where Cj = 2 and p = .95. 
Also note that, for a given p, that C is minimized for smaller values of n and k for the more costly 
subsystems, e.g., for p = .8, the subsystem n = 16 and k = 7 minimizes C for Cj = 1 while n = 12 and 
k = 5 minimizes C for Cj = 2. For a given Cj, less redundancy is required for more reliable modules. 
This same pattern holds for different cost and loss functions. Although this pattern is intuitive, an 
advantage of this method is that it provides an exact solution along with its expected losses . 
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We may use table 4 to find the n and k which minimize C. However, we may also use it to compare 
different subsystems. Suppose that we could build, or purchase from supplier 1 , a one module 
subsystem capable of full power for c, = 1 with p = .8. Suppose further that supplier 2 could build a 
similar subsystem but with p = .95 for c, = 2. A third subsystem from supplier 3 has Cj = 5 with p = 
.999. Here we will assume that more complicated subsystems will all increase by g(k) = (1 /k) 7 . To 
compare the 3 suppliers compare the optimal subsystems from each. The first entry in table 4 shows, 
for the first supplier with C3 = 1 and p = .8, that the optimum solution (n = 16 and k = 7) is to build a 
subsystem of 16 modules, each 1/7 th of full power. The cost of building this subsystem is nCjg(k)/k = 
16x1(1 /7X 7 = 4.10, while its reliability is .99975 with a total for C of 4.34. The optimum solution for 
supplier 2 (with C3 = 2 and p = .95) is to build an n = 4 and k = 2 subsystem of 4 modules, each of 
1/2 power. The cost of building such a subsystem is 4.92. It has a reliability of .99952 with C = 5.40. 
Since 4.34 < 5.40, choose the subsystem from supplier 1 . Supplier 3 (with cj = 5 and p = .999) would 
not be chosen since his optimum solution (n = 1 and k = 1) has C = 5.99, which is higher than C = 
4.34, the lowest C for supplier 1 . 

4. LAUNCHING COSTS OF THE SUBSYSTEM 

There are circumstances when other cost factors are important and need to be considered. One 
such situation would be in space applications, where the weight of the subsystem is an important cost 
factor. The modification required here is to add the cost of launching the subsystem to C so that 
C = cost of subsystem + cost of launching subsystem (4) 

+ E{loss due to subsystem failure} 

If we are choosing between two subsystems of equal weight, then the same cost of launching the 
subsystem is contained in C for both subsystems and may therefore be dropped from further consid- 
eration. So the only time we need consider the launching costs is when the weights are different. 

In the previous section we chose (with the use of table 4) a subsystem of n = 16, k = 7, p = .80 
and C = 4.34 from supplier 1 over the subsystem from supplier 2 with n = 3, k = 2, p = .95 and C = 
5.40. If these subsystems are used in a launch situation, we need to ask whether there are any 
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differences in launch costs. Although the subsystem from supplier 2 has a higher C, it may be lighter 
and therefore have a lower launch cost. Therefore, we need to compare the minimum C’s in (4) 
between the two suppliers to determine which supplier should be used. In order to minimize C in (4) we 
need a general cost of launching subsystems of different n’s and k’s. Let w(k), a function similar to the 
g(k) function, be the function which gives the (generally) increasing costs of launching more complex 
subsystems, i. e., subsystems having smaller modules. For example, if w(2) = 1.5, then a subsystem 
consisting of 2 smaller modules will cost 1.5 times as much to launch as the one module subsystem. If 
w(k) is specified then C becomes 

C= nc^K)(k* net w(k)lk+ nc, £ [ n ] p *q^\ ( 5 ) 

x*Q\X) 


Consider the three suppliers mentioned previously, i.e., supplier 1 with modules of p = .80 for c, = 
1, supplier 2 with p = .95 for Cg =2 and supplier 3 with p = .999 for Cg = 5. Table 5 presents the 
optimum n and k for various values of , the cost of launching a one module subsystem. 

Table 5 


Optimum n and k for model 2 for the example of 
the three suppliers which yield minimum cost C 


Supplier Cg q = 0.5 

^ = 1-0 

cP 

II 

ro 

o 

C; = 3.0 

n,k 14,7 

12,5 

10,4 

10,4 

1 1 Rel. of Subsystem .99962 

.99942 

.99914 

.99914 

C 6.37 

8.35 

12.22 

16.01 



n,k 4,2 

4,2 

4,2 

2,1 

2 

2 Rel. of Subsystem .99952 

.99952 

.99952 

.99750 


C 6.63 

7.86 

10.33 

12.48 



n,k 1,1 

1,1 

1,1 

1,1 

3 

5 Rel. of Subsystem .99900 

Qoonn 

• vAA/UU 

.99900 

.99900 


C 6.49 

6.99 

7.99 

8.99 


Supplier 1 should be used if q =0.5 since C is lowest for supplier 1. For <% = 1, 2 or 3, supplier 3 
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should be chosen. Note that supplier 3 does not have the subsystem with the highest reliability. 
Throughout the remainder of this paper we will not explicitly consider the cost of launching the 
subsystem, since this cost may be included in the other models by inclusion of the term nc^w(k)/k in the 
equation for C in each model. 

5. MODEL 3 

Now consider a more generalized loss 
function than that of model 2. Suppose that loss 
due to subsystem failure is given by figure 1 , 
where v is the ratio of the actual output of the 
subsystem to the specification output. 

If v drops below some critical value v c , the 
loss is c, , e.g., if the output falls so that v is 
below a critical fraction v c , the mission is a 
complete failure. However, if v is at v c , then the 
loss is only q . As v increases above v c , this loss 
decreases until there is no loss at full output. 

Figure 1 shows h as a linear loss function but 

other loss functions, e.g., a decreasing multi-step function, might be appropriate. Note that, since we 
have identical modules, h takes on values only at v = x/k. If we let h(v) = a - av, for 
v c < v < 1, where a = c,/(1-v c ), then 



***'•, „\ *-i /n \ 

n p " P V* (a-fltfA) 

x-0 V X) Xikv, \Xj 


( 6 ) 
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Note that the third term on the rhs is expected loss due to partial failure of the subsystem. Again we 
can find, by means of the BASIC program described in section 8, the n and k which minimize C. 

6. MODEL 4 

Suppose that we have a situation similar to 
model 3 with c, = Cj but now wish to consider 
time of the mission. If we assume that the 
individual elements fail exponentially with failure 
rate A. , then the probability of an element still 
operating successfully at time t is exp(-At). To 
find f(x,t), first let f(t|x) be the time at which the 
x* h success occurs (the waiting time for the (n- 
x) ,h failure), given that n-x failures have occurred 
before mission time T 0 . Then 



Figure 2 Loss Function for Model 4 


r 0 

fm-Lmifmwdt o <t<r 0 

o 

where - — [exp (-Xt)] x Aexp(-Af )[1-exp(-Af )r'. 

xl(/j-x-1)l 

where $(x) =| [exp(-A T 0 )\* [1 -exp(-A r 0 )]"' Jt x=0,1 n. 


If the output fraction is at v c at the start of the mission, our loss is c^. We further assume that as the 
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output fraction increases above v c , then this loss decreases until there is no loss at full output. With 
output at or above v c , losses decrease with increasing time until there is no loss beyond mission time T 0 . 
In figure 2 we assumed our loss function h(v,t), for any given v above v c , will decrease linearly with time 
until no loss occurs above T 0 . Additionally, for any given t, h(v,t) decreases as v increases above v c . 

Consider now a general loss function h(v,t) [not necessarily the one illustrated by figure 2]. Again, 
for a given t, h takes on values only for v = x/k. Now we have 

ft r o 

C^nc# (*)/*+/£ / h (x}k.t ) f (x,t )dt. (8) 

Jf-0 o 

Note that the last term on the rhs of (7) is the expected loss due to subsystem failure. If we let 

h(xtk f t)=dmEb J ti (9) 

h o 


then, after integrating, (7) becomes 

m k - 1 n-i r-1 / . v 

C=nc a g(K}lk+r £*>,[£ £ <-1) M , 

>0 jr^O bO \ I / 

[exp(-X7- 0 (x + M))£ (/ l^/l(/-s)l(A(x + / + 1)r 1 l-/ l[A(x+/+1)] J '“ 1 ] ] 

9-0 

n- jr-1 , 1 v 

where JM-toWr 1 £ H) ' f n ~* II -exp(-X 7' 0 (x + M)J(x + / + 1)- 1 
with ^=f^exp(-Aro)r [1 -exp(-xr 0 )J n - Jf x=0,1 n. 


We wish to find the n and k which minimize C. Minimizing C in (8) is appropriate for any loss 
function of the form (9). Let us use the loss function given in figure 2. For 0 < x < kv c , d(x/k) = 1 , m = 
1. tb = Cj and b, = - cfeT 0 '\ For kv c < x< k-1 we have d(x/k) = 1 - x/k, m = 1, t*, = a and b, = -aV 
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where a = q, (1 -v c ) -1 with 0 < v c < 1. Using (9) we obtain 

C=nc i g( tyk 

U E E (-in I P(^/-1)]- 1 [exp(-X7- 0 (x + / + 1))-1] 

*-o A -0 V • ) 

J«*V, fl-X-1 / „ . x 

E (-in f 

x-o /-o V ' y 

[exp(-A.7J,(jf+/+1))[r 0 (X(x+/+1))" 1 +(A(x+/+1))‘ 2 l-(X(x+/+1))' 2 ] (11) 

*-1 »- x -1 / 1 \ 

+*E 4*)(1-*A)E (-1) M r'f 1 W/ + 1)]- 1 [exp(-xr 0 (x + / + 1)-1] 

k - 1 n-x-1 / 1 \ 

-aV £ 4*)<1-*/A) E f 

x*Av 0 >«0 V ' / 

[exp(-X7J,(x+/+1))[7J,(A(x+/+1))' 1 +(A(x+/+1))' 2 l-(X(x+/+1))‘ 2 ] } 

6.1 Model 4 Applications 

Model 4 might reasonably be applied to non-recoverable systems which, at the end of their service 
life, have no intrinsic or salvage value or which are prohibitively expensive to recover. Examples include 
undersea sonar systems anchored in deep water, instrument/telemetry packages located in remote 
regions or communications satellites in geosynchronous orbit. For a geosynchronous communications 
satellite a number of subsystems could be chosen as an example. Let us examine the satellite power 
system which can be divided into smaller identical modules. We will use the rule of thumb which says 
that the cost of a space power subsystem is proportional to the electrical power raised to the .7, which 
gives g(k) = k(1 /k ) 7 . Suppose that the mission life is 7 years and that the reliability of the satellite 
(exclusive of the power subsystem) over the mission life is .90. Because the satellite needs power for 
stationkeeping, computers and cooling, at least 10% of the specification power is needed for the satellite 
to survive. Therefore, v c is 0.1. Suppose that the satellite generates $2 million per month revenue. In 
the event of satellite failure, a new satellite could be launched within two years at a cost of $1 15 million. 
Therefore q = 163 (115 plus 48 in lost revenue). Here we will assume that revenue is roughly 
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proportional to power, i.e., if a module of the power system fails, then one or more channels are no 
longer available (in other applications, failure of a module may result in increased load on the remaining 
modules, thereby increasing the failure rate.) Table 6 gives the n and k which minimizes C for various 
values of Cj and different failure rates of a module of the power subsystem. As Cg increases, both n and 
k decrease and higher values of A (lower reliability) require greater redundancy to minimize C. 


Table 6 


Optimum n and k (for model 4) which yield 
minimum cost C for the example Note: A (ID 6 /hour) 


Cj 


A = 15 

A = 10 

A = 2.5 


n.k 

10,2 

10,3 

4,2 


Cost of Subsystem 

6.16 

4.63 

2.46 

1 

Rel. of Critical Subsystem 

.993811 

.999590 

.999592 


Rel. of Full Subsystem 

.952789 

.969021 

.989740 


C 

7.35 

5.43 

2.90 


n,k 

4.1 

3.1 

2,1 


Cost of Subsystem 

20 

15 

10 

5 

Rel. of Critical Subsystem 

.869185 

.903686 

.979800 


Rel. of Full Subsystem 

.869185 

.903686 

.979800 


C 

25.16 

19.22 

11.03 


n,k 

3.1 

2,1 

1.1 


Cost of Subsystem 

30 

10 

10 

10 

Rel. of Critical Subsystem 

.782483 

.789883 

.857872 


Rel. of Full Subsystem 

.782478 

.789883 

.857872 


C 

40.38 

31.90 

20.69 
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7. MODEL 5 


Suppose that we have a situation similar to 
model 4 but now assume a loss of c, if the output 
fraction from the subsystem is below v c anytime 
during the life of the mission. An example of such a 
loss function is given by figure 3. 

Using this loss function, for x<kv c , tfc = c, and 

b, = 0 and for kv c < x< k-1, we have d(x/k) = 1 - 
x/k, m = 1, fcfc = a and b, = -aT 0 _1 where a = 

c, (1 - vj 1 with 0 < v c < 1. Using (9) we obtain 


* t n \ 

C*nejWk*ic t E [expi-XTJW-eM-lTjr* 

x.O \XJ 

+r [a£ JiW-mlt' (-1) , ‘ 1 f n T 1 ) [A(*+M)]>xp(-xr 0 (x + / + 1)-1] 

hO \ • ) ^ 2 ) 

*-1 »-*-1 / n v - t \ 

-ar 0 4E jm( um E (-in i 

x±kv a hO \ / / 

[exp(-Xr 0 (x + M))[r 0 (X(x>/ + 1))- 1 + (X(x + M))- 2 l-(A(x + / + 1))- 2 ] ]. 

Model 5 could be applied to recoverable systems, systems which have inherent salvage value or 
manned systems. Examples include manned aircraft or spacecraft, recoverable undersea vehicles or 
spacecraft. Model 5 implies that if the output fraction of the subsystem falls below the critical value v c , 
something catastrophic will occur, such as loss of the whole system or loss of life. With these systems, 
loss or significant degradation of a critical subsystem might cause loss of the craft and occupants. 
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8. BASIC PROGRAMS 


The authors will provide, upon request, copies erf Basic programs (Quickbasic 4.5) to both evaluate 
C and also to search for an n and k which minimize C. These programs are also appropriate for models 
1, 2, 3, 4 and 5 (If you wish a copy on disk, please send a formatted 5 1 /4“ double-density floppy with 
your request). We also note that models 2, 3, 4 and 5 may be used when k is fixed by replacing 
n Pjg(k)/k by no*. Additionally, the cost of launching the subsystem may easily be considered merely by 
including this cost in C for the various models. 

9. SUMMARY 

Table 7 contains a summary of the five models which can be applied in a 
redundancy cost analysis. 


Table 7 

Redundancy Cost Models Considered in this Paper 

Model 1 Simplest cost model. The subsystem consists of n modules, of which k are required for 

success of the mission. If less than k modules are good, a loss of c, occurs. In model 
1 , k is fixed. The g(k) cost function is also available to be used where increased 
redundancy brings in more (non-linear) cost. For spacecraft, launching costs may also 
be included in all the models. 

Model 2 Same as model 1 except k may also vary. 

Model 3 Model 3 expands on models 1 and 2. Linear (or other) loss functions are utilized. If 

less than k modules are good, some loss will occur but not necessarily the entire loss of 
c, . The loss which occurs depends upon some critical output fraction v c . 

Model 4 Model 4 brings in the time domain to the loss function. Modules in the subsystem will 

fail exponentially with rate A . 

Model 5 Model 5 handles situations where output fraction below v c causes a loss which is not 

time dependent, for example, to manned space missions where loss of a major portion 
of a critical subsystem may cause loss of life. 
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